[Samba] Mounting Samba shares with Kerberos
Rowland Penny
rpenny at samba.org
Tue Jan 16 09:51:34 UTC 2024
On Tue, 16 Jan 2024 08:25:34 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> Bonus question:
> can I make this work with SSH as well?
Yes.
> As we now know, Kerberos is configured correctly on my computer, as I
> can access Samba shares. Perfect! Now it would be phantastic if the
> Kerberos ticket can also be used for SSH authentication. I have
> tested this, but also, no success. I tried to debug but I lack some
> Kerberos experience, therefore I cannot judge but at first sight, it
> seems to work, but in the end, asks for a password anyways. Possible
> to fix?
Oh, you want to know how to do it :-)
CLIENT:
/etc/ssh/ssh_config
Host *
# PasswordAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
/etc/ssh/sshd_config
SyslogFacility AUTH
LogLevel INFO
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yesCLIENT:
/etc/ssh/ssh_config
Host *
# PasswordAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
/etc/ssh/sshd_config
SyslogFacility AUTH
LogLevel INFO
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*ucs samba
Subsystem sftp /usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
SERVER:
/etc/ssh/ssh_config
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
/etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
SyslogFacility AUTH
LogLevel INFO
PubkeyAuthentication no
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PrintMotd no
AcceptEnv LANG LC_*ucs samba
Subsystem sftp /usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
SERVER:
/etc/ssh/ssh_config
Include /etc/ssh/ssh_config.d/*.conf
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
/etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
SyslogFacility AUTH
LogLevel INFO
PubkeyAuthentication no
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Rowland
More information about the samba
mailing list